Autoruns

Editors Note: I just published this and the formatting is FUBAR. I apologise for this... but jet lag is setting in so I will try and fix it up tomorrow after some sleep and c0ff33. Cheers!

Thanks to our previous MFT analysis, we saw the file 'ijjfkkxw.exe' being placed in the StartUp folder. We should probably check our autorunsc output to A) VERIFY this finding and B) potentially find additional autorun locations.

Again, Excel is my friend here and a separate the output into nice pretty columns. Reiterating the information I found last time, these are the potentially malicious files:

• windows.exe (Temp folder)
• ijjfkkxw.exe (StartMenu\Programs\StartUp)
• keqkhgks.log (Application Data)
• ijjfkkxw.exe (Application Data\agrsahog)
• areapmadsdctysii.exe (Temp folder)
  
  There are many ways to go about looking thru this output. Let's start by simply doing keyword searches. The only hit I get is for the file'ijjfkkxw.exe'. Here is a screenshot.

So it looks like Autorunsc has provided a few more locations where this piece of malware keeps itself in order to maintain persistence.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: This registry key tells Microsoft which programs to run automatically when a user logs onto the machine. See the Microsoft page. C:\Documents and Settings\Administrator\Start Menu\Programs\Startup: This is simply a location within the OS where programs which should be started at StartUp (not just a clever name) can be placed. This is not a registry key, you can generally navigate to it via Explorer or the command line to see its contents (just check what you can and cannot view!) HKCU\Software\Microsoft\Windows\CurrentVersion\Run: For the CURRENT USER (in this case Administrator), this registry location has the programs which should automatically start at run time. More information is here. Based on the locations above, it seems like no matter who logs into the machine, the malware will be executed. This is important as it means that simply cleaning 'Administrator' may not clean all users who have logged onto this machine after infection. Another method analysts use when looking at this output is to focus on 'Description' or 'Publisher'. Malware writers can be very lazy and write little to no information in the Description section. If we filter for blanks under 'Description' we see a few more entries, but all three of the malicious exe file are still observed. Now for publisher, people can filter on 'Not Verified' or again blank.  In theory (of course we have seen examples contradicting this) if the file is 'Verified' and is a company you trust (for example Microsoft) you can be less concerned about this. Of course when you have malware using signed Microsoft drivers... well then you have big problems. However, lets assume we are NOT dealing with some APT here and further filter our blank description with removing all "Verified" Windows files. For the sake of trying to smoosh (thats the technical term) the relevant columns in on screen, I highlighted the 'known' bad files. Now whats left is verifying the remaining files. We see an autorun entry which is no longer valid as the file is gone (Google searches seem to indicate this is normal?). The rest are shell extensions for WinRAR. Basically what they allow a user to do is right click on a file (which displays what is known as the context menu) and then alter that file using common WinRAR action (compress/decompress/view archives/etc) or when a user drags and drops a file. You can also try to Google search the CLSID to see if it is associated with the program it says it is. Is the user supposed to have this on their machine? Again, this is where having a baseline comes in handy! Wow-- so what do we have left to analyze? Memory  Internet History Registry System Logs Prefetch We definitely have some good data already, but let's see if we can find more indications of badness!